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Contextual Information for Data Signature Evaluation 
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Exemplary Fingerprint Requests and Target Responses 



FTP (file transfer): 

220 rh5.robertgraiiam.com FTP server (version wu-2 . 4 . 2-academ [BETA-15] (1) Sat Nov 1 
03:08:32 EST 1997) ready. 



Telnet 

Red Hat Linux release 5.0 (Hurricane) 
kernel 2.0.31 on an i486 
1 ogin : 



SMTP (mail) 

220 rh5.robertgraham.com ESMTP Sendmail 8.8.7/8.8.7; Mon, 29 Nov 1999 23:28:31-0800 



Finger (user information) 

Login Name Tty Idle Login Time office office 
Phone 

rob Robert David Graham pO Nov 29 22:51 (gandalf) 
root root pi Nov 29 23:34 

(10.17.128.201:0.0) 



HTTP 

HTTP/1.0 200 OK 

Date; Tue, 30 Nov 1997 07:34:59 GMT 
Server: Apache /I. 2. 4 

Last-Modified: Thu, 06 Nov 1997 18:20:06 GMT 
Accept-Ranges : bytes 
Content -Length: 1928 
Content-Type; text/html 



HTTP 

Date: Fri, 01 Jun 2001 20:38:03 GMT 

Server: Apache/1.3.14 (Unix) (Red-Hat /Linux) mod„ssl /2 . 7 . 1 OpenSSL/0 . 9 . 5a DAV/1.0.2 
PHP/4. 0.4pll mod_perl/l .24 

Last-Modified: Wed, 18 Oct 2000 22:31:33 GMT 

ETag: "9327c-b4a-39ee24c5" 

Accept -Ranges : bytes 

Con tent -Length: 2890 

Connection: close 

Content-Type: text/html 



POPS 

+0K P0P3 rh5.robertgraham.com v4.39 server ready 

IMAP 

* OK rh5.robertgraham.com IMAP4revl vlO.190 seirver ready 



SMB 



SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 
SMB: 



Setup Account AndX Header 



Word count 
Parameter words 
Byte Count 
Byte parameters 
AndK command 
AndX reserved (MBZ) 
AndX offset 
Request Mode = 0000 

0 = Not logged in as 

Byte Count = 87 

Server's Native OS = Windows NT 4.0 

Server's Native LAN Man - NT LAN Manager 
Server's Primary Domain = AMPHLBTT 



750080000000 
87 

00570069006E006400 

75 (Tree Connect AndX) 
00 

0080 



'Guest ' 



4,0 



FIG. 5 



CO 



CD 
"D 
CC 
CD 
X 

CL 
X 



Q. 

"5) 
O 



X 

c 



C 
O 



CM 



CD 
> 

O 

CO 

CL 

< 

CO 
O 



CO 

o 

CO 

<n 
CD 
o 

O 



c 

CO 
CO 

O 

CD 



CD 

■o 

CO 
CD 
X 



X 



CL 



o 



O 
CO 

< 



CO 
O Q. 



c 

CO 

(n 
O 

DQ 



c 

CO 

O 
CO 
(O 
0 

o 
o 



c 
CO 

CO 
O 
OQ 



0 
"D 
CO 
CD 

X 

CL 
\- 
I- 
X 



Q- 

o 



o 

o 
cy) 
o 
a> 
o 



C3) 

o 
o> 
o 

C35 

o 

C^ 

o 



CD 

o 

CO 

CD 
CO 



CD 

c 

LU 

a. 

CO 

o 

CO 
0 



CO 

o 



>^ 
c 
CO 

LJ! 
O 
CO 
CO 

0 
o 

O 



c 
CO 

CO 
O 

m 



0 
-♦— » 

c 



0 

c 

1 

c 
o 



CO 

O Q- 



c 
CO 

CO 
O 
CQ 



c 
CO 

cio 
o 



c 
CO 

CO 

o 



CL CQ 



220 mandrake.intra.networkice.com FTP server (Version wu- 
2.5.0(1) Sat May 22 11:15:07 GMT 1999) ready. 

-> USER rob 

331 Password required for rob, 
-> PASS Cerveza2 

23 0 User rob logged in. 
-> SYS RETR /etc/passwd 

500 'SYS RETR /etc/passwd': command not understood. 
-> PORT 10,10,0,135,4,1 

200 PORT command successful. 
-> RETR /etc/passwd 

150 Opening ASCII mode data connection for /etc/passwd 
(2661 bytes) . 

22 6 Transfer complete. 
-> RNFR /etc/passwd 

350 File exists, ready for destination name 
-> RETR /tmp/ etc/passwd 

550 /tmp /etc/passwd: No such file or directory. 
-> QUIT 

221-You have transferred 2719 bytes in 1 files. 

221"Total traffic for this session was 3397 bytes in 1 
transfers . 

221-Thank you for using the FTP service on 
mandrake . intra . networkice . com . 

221 Goodbye. 
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Excerpt from RFC 959 



For each coininand or command sequence there are three 
possible outcomes: success (S) , failure (F) , and error (E) 
In the state diagrams below we use the symbol B for "begin 
and the symbol W for "wait for reply" . 
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Snort 1.7 Signature 

alert TCP $EXTERNAL any -> $ INTERNAL 21 ( 

msg: " IDS213/f tp„f tp-passwd-retrieval-retr" ; 
content: "RETR"; nocase; 
content : "passwd" ; ) 

Sample signature using one embodiment of the present 
system 

alert TCP $EXTERNAL any -> $INTERNAL $FTP ( 

msg: " IDS213 /f tp_f tp-passwd-retrieval-retr " ; 

FTP. filename: "* /passwd" ; 

FTP. banner: Vers ion wu-2*"; 

FTP . response : " 2 ? ? " ; 

FTP . response : " 3 ? ? " ; 

) 
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alert TCP $EXTERNAL any -> $INTERJNIAL $HTTP ( 
msg: " SYStem32 /cmd. exe" ; 
HTTP.url: " '^/systein32/cmd. exe" ; 
HTTP. server: "IIS/*" ; 
+HTTP , response : " 5 ? ? " ; 
-HTTP . response : " 4 ? ? " ; 
-HTTP . response : " 2 ? ? " ; 
) 

alert TCP $EXTERNAL any -> $INTER]S[AL $HTTP ( 
msg: "IIS malformed HTW" ; 
HTTP .url , extension: " * .htw" ; 
HTTP. server: "IIS/*" ; 
-HTTP . response : " 5 ? ? " ; 
-HTTP . response : " 4 ? ? " ; 
+HTTP . response : " 2 ? ? " ; 
) 
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RedHat 6-2 



piroQ'iraiTL 




proto 


port 




100000 


2 


tcp 


111 


portmapper 


100000 


2 


udp 


111 


portmapper 


100021 


1 


udp 


1024 


nlockmgr 


100021 


3 


udp 


1024 


nloctaagr 


100021 


1 


tcp 


1024 


nlockmgr 


100021 


3 


tcp 


1024 


nlockmgr 


100024 


1 


udp 


980 


status 


100024 


1 


tcp 


982 


status 


RedHat 7.0 
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Solaris 8 

program vers proto 
100000 4 tcp 
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